Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: US charges Samourai cryptomixer founders for laundering $100 million

Featured Deal: A one-year Sam's Club membership is only $14 now

Latest Buyer's Guide: How to setup a VPN on your router: Detailed walkthrough

PC Locker 3.0 by Mr.Robot ext .3R9qG8i3Z (LockBit 3 Black)

Started by fodhil , Mar 24 2024 06:39 PM

This topic is locked

1 reply to this topic

#1 fodhil

Members
1 posts
OFFLINE

Local time:06:45 AM

Posted 24 March 2024 - 06:39 PM

hi,

my files were infected by ransomware which was not identified on "id ransomware"

extension used: 3R9qG8i3Z

i tried to use "malcore" to identifythe ransomware result: Greedyfather Ransomware

here is the note left:

~~~ PC Locker 3.0 by Mr.Robot~~~

>>>> Your data are stolen and encrypted

To get your files back you will have to pay a one-time fee of $45 in bitcoin or monero.

>>>> You need contact us and decrypt one file for free on these platforms with your personal DECRYPTION ID

Contact the following account on telegram

@mr_robot_unlock

or paste this link in your browser

https://t.me/mr_robot_unlock

>>>> Your personal DECRYPTION ID: 4B75BFA39AA770FC5EA571B04865E784

>>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!

>>>> Warning! If you do not pay the ransom you will not receive you files NO EXCEPTIONS!

>>>> Warning! Any attempt to negotiate or you don't want to pay is INSTANT BLOCK!

>>>> Advertisement

Would you like to earn thousands of dollars $$$ ?

We sell mentorship for stealers, DDOS and ransomware.

We only work with professionals and people with money DO NOT WASTE OUR TIME.

---------------------------------------------------------------------------------------------------

Attached Files

3R9qG8i3Z.README.txt 953bytes 0 downloads

Back to top"> Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 quietman7

Bleepin' Gumshoe

Global Moderator
61,920 posts
OFFLINE

Gender:Male
Location:Virginia, USA
Local time:01:45 AM

Posted 24 March 2024 - 07:13 PM

This looks to be a new variant of LockBit 3.0 (Black) / CriptomanGizmo ransomware (used by affiliate or non-LockBit affiliates) which will have a random 9 alpha-numerical character extension appended to the end of the encrypted data filename and typically will leave files (ransom notes) which include the same [random 9 character].README.txt as part of its name. These are some examples.

.hZiV1YwzR
.3WbzmF0CC
.JxxLLpPns
hZiV1YwzR.README.txt
3WbzmF0CC.README.txt
JxxLLpPns.README.txt

In your case, the random 9 char naming format of your README.txt ransom note and contents together with the same random 9 alpha-numerical char extension appended to your encrypted files are similar to what we have seen with this ransomware.

3R9qG8i3Z 
3R9qG8i3Z.README.txt

Some LockBit 3 Black/CriptomanGizmo ransom notes are known to include a long string of hexadecimal characters comprising a Decryption ID similar to N3ww4v3/Mimic but without an asterisk (*) and extension after the ID numbers.

Your personal DECRYPTION ID: 495927C9CC58D8A36B47827EAE1AEA72
»» Your personal DECRYPTION ID: 9FE85D4F9C7EA210F904E9BC55F74ECA
>>>> Your personal DECRYPTION ID: 8F2AC6FD69FFFB2BEF710F5010CA2763
specify your ID - 6800F4848694EC5B39B3525AF9F34521
report your ID - C7EC9516C90F63DF285
YOU LOCK-ID: 7565BD6495000673051C5B6F24EE1B30

Your ransom note contents are similar to what we have seen with this ransomware and includes a personal Decryption ID like those listed above.

>>>> Your personal DECRYPTION ID: 4B75BFA39AA770FC5EA571B04865E784

Unfortunately, there is no known method that I am aware of to decrypt files encrypted by most LockBit 3 (Black)/CryptomanGizmo ransomware as noted here without paying the ransom (not advisable) and obtaining the private encryption keys from those who created the ransomware unless they are leaked or seized & released by authorities. The criminal's master private key is needed for decryption. Without the criminal's master private key, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way (RSA, AES, Salsa20, ChaCha20, EDA2, ECDH, ECC) that cannot be brute-forced...the public key alone that encrypted files is useless for decryption.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

LockBit 3.0 Black / CriptomanGizmo ([random 9 chars]; README.txt) Support Topic

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, IT consultants, victims and company representatives who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff

.
.
Microsoft MVP Alumni 2023, Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click